diff options
| author | Takamitsu Iwai <[email protected]> | 2025-08-23 08:58:56 +0000 |
|---|---|---|
| committer | Jakub Kicinski <[email protected]> | 2025-08-27 14:43:08 +0000 |
| commit | d860d1faa6b2ce3becfdb8b0c2b048ad31800061 (patch) | |
| tree | a27770249cfd5066696f5bc917acf37170a632d1 /net/rose/rose_timer.c | |
| parent | net: rose: split remove and free operations in rose_remove_neigh() (diff) | |
| download | kernel-d860d1faa6b2ce3becfdb8b0c2b048ad31800061.tar.gz kernel-d860d1faa6b2ce3becfdb8b0c2b048ad31800061.zip | |
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Takamitsu Iwai <[email protected]>
Reviewed-by: Kuniyuki Iwashima <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Diffstat (limited to 'net/rose/rose_timer.c')
| -rw-r--r-- | net/rose/rose_timer.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c index 020369c49587..bb60a1654d61 100644 --- a/net/rose/rose_timer.c +++ b/net/rose/rose_timer.c @@ -180,7 +180,7 @@ static void rose_timer_expiry(struct timer_list *t) break; case ROSE_STATE_2: /* T3 */ - rose->neighbour->use--; + rose_neigh_put(rose->neighbour); rose_disconnect(sk, ETIMEDOUT, -1, -1); break; |